[
https://issues.apache.org/jira/browse/LIVY-878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699464#comment-17699464
]
Damon Cortesi commented on LIVY-878:
------------------------------------
Think I'm making some good progress on this. The biggest blocker for me has
just been all the transitive dependencies. The versions spark-core,
hadoop-common, and zookeper are all extremely out-of-date, but through an
iterative process of {{mvn org.owasp:dependency-check-maven:aggregate
-DskipSystemScope=true}} and {{mvn dependency:tree -Dincludes=log4j:log4j}} I
think I'll have a PR open tomorrow.
> Log4j upgrade for Livy 0.8.0 version
> -------------------------------------
>
> Key: LIVY-878
> URL: https://issues.apache.org/jira/browse/LIVY-878
> Project: Livy
> Issue Type: Sub-task
> Reporter: Tinu Jose
> Assignee: Damon Cortesi
> Priority: Major
> Fix For: 0.8.0
>
>
> We are looking for an advise from you in context of the below mentioned issue:
>
> *A high severity vulnerability (CVE-2021-44228) impacting multiple versions
> of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub
> on December 9, 2021.*
> *The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.*
>
> Apache Livy version 0.7.0 version is being used by our team for processing
> the spark jobs . It uses the Log4j 1.x.x. which is not having any continued
> support.
> We would like to upgrade the Log4j versions to the latest stable version
> 2.15 without having any impact on the installations .
>
> Could you please recommend the possible ways to do the upgrade .Please note ,
> we are not looking to upgrade the Livy version to 0.7.1 to resolve this issue
> .
> Our requirement is to retain the current installed version and configurations
> with only changes in the Log4j versions
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
